Criminal gangs are using LinkedIn to perpetrate “CEO fraud”, mining the social network for information about job titles and a company’s chain of command to impersonate senior executives and give bogus orders to those below them.
The frauds typically involve an email purporting to be from a finance director or chief executive sent to an underling in the company’s finance department, ordering them to transfer money quickly to a bank account for a specific reason.
"The attackers use LinkedIn to do corporate reconnaissance. It tells them a lot about who does what in an organisation,” said Andrew Nanson, who is director of Corvid, the military cyberdefence division of Ultra Electronics. “The criminals are using social engineering techniques. Most of the time people follow instructions they get on email, especially if it’s from a boss. If an email looks like it comes from a certain person, why wouldn’t someone believe it was from them?”
Attackers make an email appear to come from an official company account using simple techniques, such as replacing a character with another similar one. An l may become an i, so that Barclays appears as Barciays.
“The human brain will try to help you and you will read it as Barclays and your spam filter might not know there is no such thing as Barciays,” Mr Nanson said.
He added that attackers also scour corporate press releases for information about new contracts and who is in charge of them, identifying the customer and supplier by name.
“Six months after the announcement, [the supplier] sends an email saying, ‘our account details have changed, please send all future payments to . . . ’,” he said. “It’s very, very common. I’m aware of organisations that have lost hundreds of thousands through diversionary payment fraud,” Mr Nanson said.
This year the magazine Fortune reported that Google and Facebook were tricked by Evaldas Rimasauskas, a 48-year-old Lithuanian, into sending him more than $100 million. According to the US Justice Department, he forged email addresses, invoices and corporate stamps to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business.
A report last year from the City of London police’s National Fraud Intelligence Bureau showed that £32 million had been reported lost as a result of CEO fraud in Britain. The actual figure is likely to be far higher, as many may not realise they have been hit. Action Fraud, the cybercrime reporting centre, reported last year that the average loss is £35,000, but one company lost £18.5 million.
Most organisations now train staff to spot phishing attacks. Many cybersecurity systems can identify malware and malicious websites, but this often fails to stop diversionary payment fraud.
LinkedIn declined to comment.
Source: The Times